diff options
author | Kerri Miller <kerrizor@kerrizor.com> | 2019-09-23 20:55:32 +0300 |
---|---|---|
committer | Kerri Miller <kerrizor@kerrizor.com> | 2019-10-10 01:14:41 +0300 |
commit | 81eba2203902d85e3c43912e62fa69244a296b2f (patch) | |
tree | 0558de4a1d2a5983bb0b4a6ef7e543755d14fba1 /app | |
parent | 635e1578219d95ee683cd2901fa5d0f6965e7033 (diff) |
Avoid #authenticate_user! in #route_not_found
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/application_controller.rb | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index af6644b8fcc..a246ec15535 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -14,7 +14,7 @@ class ApplicationController < ActionController::Base include SessionlessAuthentication include ConfirmEmailWarning - before_action :authenticate_user! + before_action :authenticate_user!, except: [:route_not_found] before_action :enforce_terms!, if: :should_enforce_terms? before_action :validate_user_service_ticket! before_action :check_password_expiration @@ -92,7 +92,9 @@ class ApplicationController < ActionController::Base if current_user not_found else - authenticate_user! + store_location_for(:user, request.fullpath) unless request.xhr? + + redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated') end end |